Target's data breach: No, really. It gets even worse.

Target's data breach: No, really. It gets even worse.

Summary: Target and Neiman Marcus were not the only name brand retailers to be stung by cyber criminals last holiday season.

SHARE:
zdnet-target-intelcrawler-bpos_1

There appears to be no end in sight for just how bad the unprecedented hack attack at Target was last holiday season.

And now it looks like Target was not the lone, er, target, in this particular sting.

We've already heard about a similar style attack on the point-of-sale hardware infrastructure at high-end department store chain Neiman Marcus.

Now Reuters is reporting that cyber intelligence firm IntelCrawler has unearthed evidence pointing toward at least six ongoing schemes at U.S. merchants with credit card processing systems plagued by the same type of malicious software.

The news agency's report did not specify the other retailers afflicted by the attack -- only that the infected systems were at stores with locations in California and New York.

IntelCrawler followed up with a related memo published to its site on Friday, detailing evidence pointing to who could turn out to be the author of the BlackPOS malware that successfully lifted personal data from the magentic strips on the backs of credit cards belonging to more than 70 million Target shoppers between Thanksgiving and mid-December.

According to IntelCrawler's sources, the malware has been tested out and infected point-of-sale hardware across Australia and Canada as well as the United States.

The same dates the detailed information and reverse engineering report were shared with Visa and several major US banks, after which US LEA released internal notification for financial industry about that. The bad actor was pretty opened for trading this malware for 2 000 USD or by receiving 50% from selling of all intercepted credit cards by his customer through Liberty Reserve.

The full report and associated screenshots are available on IntelCrawler's website now, with the hypothesis that the "the age of BlackPOS malware author is close to 17 years old and the first sample of it was created in March 2013."

Image via IntelCrawler

Topics: Security, E-Commerce, Hardware, Privacy, Tech Industry

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

68 comments
Log in or register to join the discussion
      • You mean: grammar?

        Hey, even the author refers to "magentic strips". I thought they were black, not magenta.
        alan_r_cam
  • Windows

    "with credit card processing systems plagued by the same type of malicious software"

    Why is it so hard to name names? They were running Windows. Is anyone all that surprised?
    rbgaynor
    • Guess they want the systems to work?

      Oh, and just so you know, If these were Linux based systems they would have done the exact same thing, just a different way.

      That's the part that isn't surprising.
      William.Farrel
      • nope -- just windoze

        BlackPOS infects computers running Windows that are part of POS systems and have card readers attached to them. These computers are generally found during automated Internet scans and are infected because they have unpatched vulnerabilities in the OS or use weak remote administration credentials, Komarov said. In some rare cases, the malware is also deployed with help from insiders, he said.

        Once installed on a POS system, the malware identifies the running process associated with the credit card reader and steals payment card Track 1 and Track 2 data from its memory. This is the information stored on the magnetic strip of payment cards and can later be used to clone them.
        bearded-grey
        • ram scraping can be performed on Linux as well

          Oh and MACs too...

          When you deploy malware to your POS System it runs like an app.
          greywolf7
          • Not necessarily...

            You have to have access to the memory provided... And that isn't mandatory.
            jessepollard
          • it clearly is accessible with the right technique

            And these malware creators are clearly sophisticated enough to use the necessary techniques.
            greywolf7
          • The POS system runs embedded Windows in this case

            The PCs the POS were connected to run Windows, the back-end network used to harvest the ram dump runs Windows. The malware is written for Windows and it was sold cheap.

            Please show me a real world example of a Linus POS being harvested like this.
            WhoRUKiddin
          • Theory vs reality...

            Up until a couple of weeks ago, you would have been just as hard-pressed to find a "real world" example of a Windowd-based POS system falling victim to this kind of exploit. If nothing else, this should remind you that just because we haven't seen it done doesn't necessarily mean it can't be done. Linux may be more secure, but it isn't magic.
            daftkey
          • Reality.

            > "Up until a couple of weeks ago, you would have been just as hard-pressed to find a "real world" example of a Windowd-based POS system falling victim to this kind of exploit

            Not really. Hell, I can recall Subway falling prey to hacks on there Windows-based POS systems last year (twice within six months) There have been at least a half-dozen other restaurant chains complaining of the same problems. You just have to look.

            > Linux may be more secure, but it isn't magic.

            As long as Windows relies on security through obscurity, and continues to include code that was written when it was a single-user-i'm-the-admin system, it will always be a poor choice for any system that conducts financial transactions. Hacking Windows ATMs is getting downright common.
            3vi1
          • Have to read a little more to understand those hacks...

            "I can recall Subway falling prey to hacks on there Windows-based POS systems last year (twice within six months)"

            Which one are you referring to:

            The first one where Subway franchise owners were installing remote desktop applications on their POS systems without any end-to-end encryption and bypassing all the built-in security features while ignoring the advice of their own head office to, you know, NOT do any of those things?

            http://arstechnica.com/business/news/2011/12/how-hackers-gave-subway-a-30-million-lesson-in-point-of-sale-security.ars

            Or the second one where a couple of ex-franchise owners decided to go into the POS business and sell turnkey POS systems to unwitting franchise owners (and probably other restaurateurs) with a ready-made backdoor already installed and ready for the taking?

            http://www.forbes.com/sites/billsinger/2013/03/15/subway-restaurants-rocked-by-pos-hackers/

            I'll admit, in a way you've addressed my "hard pressed to find a real-world example of a Windows-based POS being hacked", however the bigger issue is that this is hardly a clear indictment of Windows-based POS systems being at fault. Had the security recommendations been followed properly and tainted POS systems not been sold in the first place, this wouldn't have happened to Subway. On the other hand, if the same activities were to take place on a non-Windows POS, the same security breach would be possible and just as easy to pull off.

            "As long as Windows relies on security through obscurity, and continues to include code that was written when it was a single-user-i'm-the-admin system, it will always be a poor choice for any system that conducts financial transactions. Hacking Windows ATMs is getting downright common."

            Windows is the most common Point-of-sale operating system in use today - hardly relying on "security through obscurity", and it is hardly any less multi-user than Linux and other alternatives. The latest news about Target's hack and Windows ATM hacks all appear to be pointing to front-door access to the hackers and incorrect security configurations on the devices. That the systems are Windows-based doesn't really mean much, when the exploits used would be just as effective on an incorrectly configured system using any OS.
            daftkey
        • Internet Access?

          And why are any of these POS systems inbound accessible from the internet?? These should all have been on an encrypted company internal VPN with any outbound access monitored by a deep packet inspection firewall
          archangel9999
          • POS internet access

            You'd be asking too much of wet behind the ears IT vo-tech grads?
            nuzerxe
          • vo-tech grad

            Trade school teachers usually make a point of making sure the students understand the techniques and concepts necessary to do the job well. We KNOW our students will get a raft of stuff from the people with BS and MS degrees no matter how good the students are. I originally got into engineering through a trade school and years later taught at one. I enjoyed pricking the arrogant assumptions of many of the degreed engineers I worked with and I taught my guys how to do it.
            DrJeffDrJeffTheFirst
        • bearded-grey - Do try to keep up, why don't you?

          "If these were Linux based systems they would have done the exact same thing, just a different way"

          Here, I'll spell it out for you - they wouldn't have used the written for Windows BlackPOS, they would have used a different program, but one that achieved the desired effect

          Different program; Same result.
          Same result; Different program.

          No matter how you say it, that's the reality.
          William.Farrel
          • Reality is Windows POS systems are easy targets

            "Malware Dump Memory Grabber Targeting POS Systems And ATMs Of Major US Banks

            Russian malware Vskimmer has the capability to steal credit card information from windows systems. Now a new malware is targeting point-of-sale (POS) systems and ATMs. The malware scans the memory of POS systems and ATMs looking for credit card data. It is claimed to have stolen payment card information from several US banks.

            Unlike the existing banking malware that infect individual user computers and intercepts online banking credentials and credit card details, attacks on POS systems and ATMs are far more sophisticated.

            The modus operandi of this type of malware attack involves infecting of ATMs and physical POS systems, such as stand-alone kiosks and modern cash register systems, to collect secret and sensitive information of debit and credit cards.

            Most of the POS/ATM attacks relied on the “help of insiders,” such as the employees in charge of maintaining POS systems and authorised to update the software. A few POS systems running Windows XP or Windows Embedded with Remote Desktop or VNC software were infected remotely, and in some cases, attackers exploited vulnerabilities in ATM networks connecting to the bank’s VPN or GSM/GPRS networks.

            The Dump Memory Grabber malware collects Track 1 and Track 2 data and transfers the collected data to a remote command-and-control server. The Track 2 refers to data encoded into the magnetic stripe on the physical credit and debit card, and includes information such as the primary account number, first and last name, and expiration date. Criminals use the collected data and information to create cloned physical cards.

            The malware adds itself to the system registry so that it will automatically run whenever the system boots up. The malware’s payload program lists all the processes running on the system and then searches memory for sensitive data. The malware operator can limit the search to the memory of a specific application process or scan across all applications."

            You say the same thing cam be done on Linux POS systems, please give an example.
            WhoRUKiddin
          • the reality is This was easily preventable with proper security process

            and you seem to be a shill with very limited or no real knowledge.
            greywolf7
          • Are you sure about Track1 and Track2?

            I work on PCI for our company. I'm fairly certain that only Track1 has the cardholder's name. Track1 has a higher density and thus the ability to store alphabetics. Track2 is in 4 bits + 1 parity format which allows for all the ASCII 0x3? data and thus can't hold alphabetic characters. I does hold the numbers and 6 punctuation characters. So you cannot get card holders name from Track2. Whatever the case, if you read both, you will get most of what you need to compromise the owner's number.
            ManoaHI
          • I've been running Linux for 14 years, without AV.

            And never had a problem. I'd like to see an example of Linux also.

            This is part of the Window's universe, only.
            Joe.Smetona
          • Unless Android is also Linux...

            "I've been running Linux for 14 years, without AV.
            And never had a problem. I'd like to see an example of Linux also.
            This is part of the Window's universe, only."

            ..then I guess there are plenty of AV systems available.

            Welcome to a week-old conversation though, Joe. We missed you. Not enough comic relief in these here comment sections y'know...
            daftkey